Pass Rancher's VEX report to Trivy to remove known false-positives CV…

…Es (#10956)

Signed-off-by: Guilherme Macedo <[email protected]>

.github/workflows/trivy.yaml

@@ -40,13 +40,19 @@ jobs:
         make package-image
         make tag-image-latest
 
+   - name: Download Rancher's VEX Hub report
+      run: curl -fsSO https://raw.githubusercontent.com/rancher/vexhub/refs/heads/main/reports/rancher.openvex.json
+
     - name: Run Trivy vulnerability scanner
       uses: aquasecurity/[email protected]
       with:
         image-ref: 'rancher/k3s:latest'
         format: 'table'
         severity: "HIGH,CRITICAL"
         output: "trivy-report.txt"
+      env:
+        TRIVY_VEX: rancher.openvex.json
+        TRIVY_SHOW_SUPPRESSED: true
 
     - name: Upload Trivy Report
       uses: actions/upload-artifact@v4
@@ -93,4 +99,4 @@ jobs:
     steps:
       - name: Report Failure
         run: |
-          gh issue comment ${{ github.event.issue.number }} -b ":x: Trivy scan action failed, check logs :x:"
+          gh issue comment ${{ github.event.issue.number }} -b ":x: Trivy scan action failed, check logs :x:"

scripts/image_scan.sh

@@ -31,7 +31,11 @@ TRIVY_TEMPLATE='{{- $critical := 0 }}{{- $high := 0 }}
     {{- end -}}
 {{ end }}
 Vulnerabilities - Critical: {{ $critical }}, High: {{ $high }}{{ println }}'
+VEX_REPORT="rancher.openvex.json"
 
-trivy --quiet image --severity ${SEVERITIES} --no-progress --ignore-unfixed --format template --template "${TRIVY_TEMPLATE}" ${IMAGE}
+# Download Rancher's VEX Hub standalone report
+curl -fsS -o ${VEX_REPORT} https://raw.githubusercontent.com/rancher/vexhub/refs/heads/main/reports/rancher.openvex.json
+
+trivy --quiet image --severity ${SEVERITIES} --vex ${VEX_REPORT} --no-progress --ignore-unfixed --format template --template "${TRIVY_TEMPLATE}" ${IMAGE}
 
 exit 0